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Abstract 

A  watermark  is  a  perceptually  unobtrusive  signal  em¬ 
bedded  in  an  image,  an  audio  or  video  clip,  or  any  other 
other  multimedia  asset.  Its  purpose  is  to  be  a  label  which 
is  holographically  attached  to  the  content.  Moreover,  it 
can  only  be  removed  by  malicious  and  deliberate  attacks 
(without  a  great  loss  of  content  quality)  if  some  secret 
parameter  K  is  known.  In  contrast,  a  watermark  should 
be  readily  detectable  by  electronic  means.  This  implies 
that  electronic  watermark  detection  is  only  feasible  if  the 
watermark  detector  is  aware  of  the  secret  K.  In  many 
watermarking  business  scenarios  the  watermark  detector 
will  be  available  to  the  public  as  a  black  box  D.  The  fol¬ 
lowing  question  is  therefore  justified:  can  the  secret  K  be 
deduced  from  the  operation  of  the  black  box  D?  And  if 
yes,  what  is  the  complexity  of  this  process?  In  this  paper 
we  will  address  this  issue  for  the  watermarking  method 
PatchWork  [1]. 

1  Introduction 

Watermarking  is  a  fundamental  enabling  technology  for 
the  distribution  of  digital  multimedia  (MM)  content.  At 
present  it  is  very  easy  to  distribute  and  copy  digital  mul¬ 
timedia  content.  Without  any  special  precautions  the 
content  generation  and  distribution  industry  will  be  very 
reluctant  to  publish  in  the  digital  domain.  The  slow  in¬ 
troduction  of  the  new  Digital  Versatile  Disk  (DVD)  for¬ 
mat  bears  witness  to  this  tendency. 

Digital  watermarking  is  a  technical  solution  to  the 
copyright  problem.  In  its  basic  form  a  digital  watermark 
W  is  a  small  signal  added  to  MM  content.  The  water¬ 
mark  W  carries  sufficient  data  to  ensure  proper  copyright 
verification.  Due  to  its  intended  purpose  a  watermark 
should  be  unobtrusive  (i.e.  no  perceptible  degradation 
of  the  quality  is  allowed),  easily  detectable  by  dedicated 
software  or  hardware  and  very  difficult  to  remove  by  ma¬ 
licious  and  deliberate  attacks. 

It  is  essential  to  distinguish  two  types  of  applications  of 
watermarking  technology.  In  the  first  type  of  application 
all  content  can  be  enforced  to  contain  a  watermark.  A 
typical  example  is  given  by  (images  on)  bank  notes  and 
smart  cards.  It  is  not  sufficient  for  a  pirate  to  remove  the 
watermark  (i.e.  reconstruct  the  original  content),  but  he 
will  actually  have  to  insert  a  watermark  which  contains 
false  copyright  information.  By  relying  on  cryptographic 
methods  the  complexity  of  this  type  of  attack  can  be 
made  arbitrarily  large. 


In  the  second  type  of  application  watermarking  cannot 
be  enforced.  A  typical  example  is  given  by  film  content  on 
DVD.  The  film  industry  can  enforce  watermarks  on  com¬ 
mercial  digital  video,  but  it  cannot  enforce  watermarking 
of  home  videos.  Therefore  DVD  players  will  have  to  ac¬ 
cept  both  watermarked  (i.e.  copyright  protected)  and 
unwatermarked  content.  This  implies  that  it  is  sufficient 
for  a  pirate  to  remove  a  watermark  from  a  commercial 
video  (i.e.  make  a  good  estimate  of  the  unwatermarked 
original,  also  referred  to  as  unzigning  [2])  in  order  to  in¬ 
validate  the  copyright  protection  mechanism  of  DVD.  In 
this  paper  we  will  focus  on  this  type  of  non-watermark- 
enforced  application. 

In  particular  we  will  study  the  security  risk  associated 
to  the  availability  of  a  watermark  detector.  This  applies 
for  example  to  DVD,  where  a  copyright  system  based  on 
watermarking  will  imply  a  watermark  detector  in  every 
single  DVD  player.  We  will  assume  that  a  pirate  has  a 
general  knowledge  of  the  watermark  embedding  and  de¬ 
tection  scheme,  but  not  of  the  associated  secrets  such  as 
keys  K  or  noise  patterns  W.  The  key  question  addressed 
in  this  paper  is  whether  or  not  the  availability  of  a  detec¬ 
tor  D  allows  the  retrieval  of  a  sufficient  amount  of  secret 
information  to  unzign  watermarked  material. 

It  is  obvious  very  difficult  to  study  this  situation  in 
full  generality.  Therefore  we  will  confine  ourselves  to 
PatchWork,  a  specific  still  image  watermarking  scheme 
introduced  by  Bender  et  al.  [1].  Although  PatchWork  is 
a  relatively  simple  scheme,  it  is  prototypical  for  a  large 
class  of  watermarking  schemes. 

This  paper  is  organized  as  follows.  In  Section  2  we 
recall  the  PatchWork  watermarking  scheme.  In  Section  3 
we  present  a  method  for  retrieving  the  secret  pattern 
W  associated  to  PatchWork.  In  Section  4  this  method 
is  experimentally  validated.  Section  5  summarizes  the 
paper. 

2  The  PatchWork  Watermarking  Scheme 

We  recall  the  watermarking  procedure  PatchWork  as  in¬ 
troduced  in  [1].  Given  an  original  image  A'  =  {r,:}  of  size 
Ni  x  N-2  the  watermark  casting  procedure  of  PatchWork 
starts  with  choosing  a  secret  K.  Depending  on  this  key 
K  the  set  of  image  points  is  partitioned  into  three  sets 
A,  B  and  C,  where  A  and  B  are  of  equal  size.  The  wa¬ 
termarked  image  1’  =  {«/;}  is  now  obtained  by  increasing 
the  luminance  values  of  the  pixels  in  A  with  k,  decreasing 
the  luminance  values  of  B  with  k  and  leaving  the  pixels 
in  C  unchanged.  The  value  of  k  depends  on  the  desired 


robustness  of  the  watermark  (better  with  larger  k)  and 
the  desired  imperceptibility  (better  with  smaller  k). 

The  detection  process  starts  with  modifying  a  suspect 
image  Z  =  {z, }  to  have  zero  mean.  Without  loss  of 
generality  we  may  therefore  assume  that  mean(Z)  =  0. 
Subsequently  the  sets  A,  B  and  C  are  derived  from  the 
secret  key  K  (to  which  the  detector  has  access!).  The 
detector  then  computes  the  decision  value  d  as 


ing).  For  applications  in  which  D  is  publicly  available 
it  is  therefore  essential  that  D  does  not  reveal  any  in¬ 
formation  about  W.  This  is  exactly  the  security  issue 
addressed  in  this  paper. 

Assuming  that  an  attacker  has  access  to  a  detector  D 
and  a  watermarked  image  A'o  we  analyze  the  security  of 
the  PatchWork  scheme.  In  particular,  referring  to  Sec¬ 
tion  1,  we  pose  the  questions  of  how  much  knowledge  can 
be  obtained  about  W  and  what  effort  is  needed  to  obtain 
this  information.  The  following  sections  will  show  that 
it  is  relatively  easy  to  make  an  estimation  of  W. 


where  N  =  AT  AT  is  the  total  number  of  pixels.  It  is 
not  difficult  to  see  that  for  an  unwatermarked  image  the 
expected  value  of  d  is  equal  to  0.  For  a  watermarked  im¬ 
age  however  the  expected  value  of  d  is  equal  to  2kM/N , 
where  M  is  the  size  of  A.  Invoking  some  basic  statis¬ 
tical  theory  it  not  difficult  to  derive  that  the  standard 
deviation  ad  of  the  decision  variable  d  is  given  by 

szV2kM  . 

<?d  ~  - jz - ,  (2) 

where  the  standard  deviation  sz  of  the  image  Z  is  defined 
by 


sz  = 


(3) 


Given  a  threshold  parameter  T,  PatchWork  decides  that 
a  suspect  image  Z  is  watermarked  if  and  only  if  the  com¬ 
puted  decision  variable  d  is  above  Tad.  In  particular  it 
follows  that  we  have  to  constrain  V2 kM  to  be  larger  than 
Tsz  in  the  casting  procedure.  Otherwise  a  watermarked 
image  will  not  be  recognized  as  such  by  the  detector. 

PatchWork  can  be  reformulated  into  a  somewhat  more 
abstract  mathematical  setting.  The  watermark  embed¬ 
ding  procedure  can  be  described  as  adding  a  noise  se¬ 
quence  W  to  an  image  X.  The  noise  sequence  W  =  {re,:} 
is  determined  by  the  secret  key  K.  Moreover,  W  is 
{  —  1,  0,  l}-valued  and  DC-free ,  i.e  ')Ty  Wi  =  0.  The  water¬ 
marked  image  1’  is  then  obtained  as  1’  =  X  +  kW.  The 
detection  procedure  can  be  described  as  the  computation 
of  a  threshold^  correlation  value.  Firstly,  a  suspect  im¬ 
age  Z  is  correlated  with  the  secret  noise  pattern  W  to 
obtain  a  decision  value  d, 

d  =  (Z,W)=^J2ZiWi-  (4) 


This  value  d  is  normalized  to  unit  standard  deviation 
by  dividing  by  ad  (see  Equation  2)  and  then  compared 
with  the  threshold  T.  If  the  outcome  is  larger  than  T 
the  image  is  said  to  be  watermarked  and  otherwise  it  is 
not.  Summarizing  the  above,  the  detection  process  can 
be  described  by  the  following  pseudo-code. 


Z  :=  Z  —  mean(Z); 

Z  :=  Zj  std(Z); 

d  ■=  (S/Lo1  ZiWi)/V2M; 
if  d<  T 

return  —1; 
else 

return  1; 
fi 


It  should  be  obvious  from  the  preceding  that  knowl¬ 
edge  of  W  allows  the  removal  of  watermarks  (unzign- 


3  The  PatchWork  Attack 

The  simplest  method  to  obtain  information  about  W  is 
by  brute  force  trial  and  error.  Starting  with  a  fixed  (un¬ 
marked)  image  A'  we  add  a  DC-free  sequence  V  to  A, 
and  we  check  if  the  resulting  image  is  watermarked  or 
not  (using  the  detector  D).  If  the  outcome  is  negative 
we  choose  another  sequence  V  and  continue  this  process 
until  the  detector  indicates  that  we  have  found  a  water¬ 
marked  image.  The  sequence  V  is  then  our  estimation  of 
W.  It  is  not  difficult  to  see  that  this  process  is  exponen¬ 
tial  in  the  number  of  pixels  N,  and  is  therefore  infeasible 
in  practice. 

In  this  paper  we  propose  an  attack  which,  for  any  de¬ 
sired  accuracy,  is  polynomial  in  N.  The  basic  idea  of  the 
attack  is  to  fix  an  image  AT  and  offer  small  perturba¬ 
tions  of  AT  to  the  detector  D.  By  observing  the  output 
of  D,  information  about  W  is  obtained.  It  is  obvious  that 
nothing  can  be  learned  if  the  start  image  AT  is  far  below 
the  watermarking  threshold  T.  Any  small  perturbation 
of  AT  will  cause  D  to  give  out  the  decision  “not  water¬ 
marked”.  For  the  same  reason  nothing  can  be  learned 
from  a  start  image  AT  which  is  far  above  threshold.  The 
first  phase  of  the  proposed  attack  therefore  generates  an 
image  AT  which  is  approximately  at  threshold.  As  we 
have  indicated  in  the  opening  paragraph  of  this  section, 
it  is  difficult  to  generate  such  an  image  from  scratch. 
A  watermarked  image  A'o  is  therefore  required  as  input. 
The  signal  AT  can  be  obtained  from  A0  by  gradually  re¬ 
ducing  the  image  quality  of  M0.  Several  methods  can  be 
applied  for  this  purpose.  One  method  iteratively  replaces 
sample  values  of  A0  by  the  mean  value  of  M0.  Another 
method  consists  of  blurring  M0  using  a  decreasing  pass 
band  width.  In  the  experiments  presented  in  Section  4 
we  have  chosen  the  former  method  as  it  has  lower  com¬ 
plexity.  A  geometrical  interpretation  of  this  first  phase  is 
represented  in  Figure  1.  The  curved  dashed  line  in  this 
figure  represent  the  path  traversed  by  A'o  when  image 
quality  is  gradually  decreasing. 

In  the  second  phase  of  the  attack  we  perturb  AT  by 
adding  DC-free  {— k,  +&}-valued  noise  sequences  V  and 
feeding  AT  +  V  to  D.  If  the  correlation  between  V  and 
W  is  positive  there  is  a  slightly  increased  chance  that  D 
gives  “watermarked”  as  output.  If  W  and  V  are  nega¬ 
tively  correlated  there  is  a  slightly  increased  chance  of 
D  giving  out  “not  watermarked” .  In  the  former  case  we 
take  V  as  an  approximation  of  W,  in  the  latter  case  we 
take  —V  as  an  approximation  of  W.  These  perturba¬ 
tions  of  AT  are  geometrically  represented  in  Figure  1  as 
the  shaded  sphere  around  AT.  The  lighter  and  darker 
shaded  areas  of  this  sphere  indicate  the  negatively  and 
positively  correlated  perturbations,  respectively.  By  av¬ 
eraging  over  all  intermediate  estimations  we  obtain  an 
estimate  of  W  up  to  a  positive  scalar  k.  The  final  ap- 


proximation  of  W  is  obtained  by  scaling  and  quantizing 
to  the  domain  {  —  1,  0,  +1}. 

When  perturbing  X\  there  is  a  choice  in  the  strength 
k  of  the  perturbations.  If  k  is  either  too  small  or  too 
large  the  variation  in  standard  deviation  of  the  perturbed 
images  has  a  dominant  effect  on  the  outcome  of  the  ex¬ 
periments.  These  cases  can  however  easily  be  recognized 
by  comparing  the  standard  deviation  of  the  intermedi¬ 
ate  estimation  with  the  theoretical  standard  deviation 
for  experiments  on  non-watermarked  images  (see  step  8b 
in  the  pseudo-code  below).  If  k  is  “just  right”  (quoting 
Goldilocks)  then  the  measured  standard  deviation  will  be 
(significantly)  larger  than  this  theoretical  standard  devi¬ 
ation.  In  the  pseudo-code  below  we  obtain  a  proper  value 
of  k  by  monotonically  increasing  k ,  starting  at  the  value 
k  =  l. 

A  formal  description  of  the  attack  is  given  below. 


Figure  1:  A  geometrical  interpretation  of  the  watermark 
attack. 

PatchWork  Attack  Pseudo-Code 

Input : 

detector  D  ; 

watermarked  image  A'o  ; 
total  number  of  iterations  K  ; 

Output: 

estimation  W  of  watermark  secret  W  ; 

1.  Degrade  A'0  to  AT  at  threshold  of  detection. 

2.  (a)  k  :=  0. 

{  Initial  perturbation  parameter  } 

(b)  kf  :=  0. 

{  k  too  small  } 

3.  k  :=  k  +  1. 

{  Increment  perturbation  parameter  } 

4.  (a)  W  =  0. 

{  Initialize  watermark  estimation  } 

(b)  M  =  0. 

{  Initialize  loop  counter  } 


5.  (a)  M  :  M  +  1. 

{  Increment  loop  counter  } 

(b)  V  =  dcfreeQ. 

{  Random  DC-free  V ,  m  E  {  —  1,  +1}  } 

6.  d  =  D(AT  +k*V). 

{  Perturb  and  record  decision  } 

7.  W  :=  W  +  d  *  V. 

{  Update  W  } 

8.  If  kf  ==  0 

{  Proper  k  not  yet  found  } 

(a)  If  M  <  N  go  back  to  5. 

{  Too  few  iterations  to  make  a  decision  } 

(b)  Else 

i.  If  std(IT)  «  \/N  go  back  to  3 
{  k  too  small  } 

ii.  Else  kf  :=  1. 

{  k  large  enough  } 

9.  If  kf  ==  1  and  M  <  K  go  back  to  5 

{  Not  enough  iterations  } 

10.  W  :  =  quantize(II'). 

{  Scale  and  round  W  to  domain  {-1,0, +1}  } 

It  can  be  proved  that  this  procedure  recovers  the  se¬ 
cret  W  for  any  desired  accuracy  in  0{N2)  experiments 
(i.e  loop  traversals).  The  full  argumentation  for  the  cor¬ 
rectness  of  the  presented  attack  and  its  complexity  will 
be  provided  in  a  forthcoming  paper.  In  [3]  a  slightly  gen¬ 
eralized  attack  will  be  presented  which  can  also  deal  with 
a  larger  class  of  watermarking  methods. 

The  basic  idea  of  using  perturbations  for  watermark 
hacking  has  first  been  presented  in  [4]  and  [5].  The  attack 
methods  in  these  papers  are  however  mainly  of  a  theo¬ 
retical  nature.  The  overall  conclusion  of  both  approaches 
however  is  the  same:  watermark  detection  schemes  which 
are  based  on  thresliolded  correlation  can  be  cracked  in 
0{N2)  experiments  (i.e  loop  traversals). 

4  Experiments 

The  attack  described  in  Section  3  has  experimentally 
been  verified.  An  attack  was  simulated  in  MATLAB  for  a 
watermarked  image1  of  size  128  x  128  (marked  at  9  times 
standard  deviation)  and  a  software  model  of  a  watermark 
detector  with  T  =  7.  The  chosen  image  size  128  x  128 
is  realistic  in  the  sense  that  any  practical  watermarking 
scheme  will  use  tiling  with  moderately  sized  tiles,  usually 
smaller  than  128  x  128.  A  watermark  detector  in  such 
a  system  essentially  computes  correlation  values  on  the 
basis  of  this  tile  size. 

The  watermarks  sequence  W  used  in  this  experiment 
has  an  average  energy  of  0.5,  e.g.  M  =  N/4  (see  Sec¬ 
tion  2). 

First  an  image  at  the  threshold  of  detection  was  ob¬ 
tained  by  iteratively  replacing  sample  values  by  the  mean 
value  of  the  image  (see  Figure  2).  This  threshold  image 
was  used  for  a  number  of  experiments  in  which  the  qual¬ 
ity  of  watermark  retrieval  was  measured  as  a  function  of 
the  perturbation  strength  k  and  the  total  number  of  it¬ 
erations  K.  The  results  are  given  Figure  3.  The  quality 

JThe  central  part  of  the  well  known  Lena  image  was  chosen 
for  this  experiment. 


of  retrieval  is  measured  in  the  percentage  of  watermarks 
bits  which  are  correctly  estimated.  The  number  of  itera¬ 
tions  is  measured  in  multiples  of  the  number  of  samples 
N  =  1282.  The  figure  clearly  shows  that  the  percentage 
of  retrieval  is  easily  above  90%  for  a  moderated  number 
of  iterations.  The  figure  also  shows  that  the  attack  is 
reasonably  insensitive  to  the  exact  value  of  k  as  long  as 
k  is  not  too  small  or  too  large.  In  Figure  4  the  distribu¬ 
tion  of  sample  values  of  W  before  quantization  is  plotted 
for  K  =  30  *  N  and  k  =  5.  This  figure  clearly  shows  a 
distribution  which  is  divided  in  3  different  regions.  The 
left,  middle  and  region  correspond  to  the  values  which 
are  quantized  to  —1,  0  and  +1  respectively.  From  this 
figure  one  can  also  see  that  about  half  of  the  values  in  W 
is  equal  to  0. 


Figure  2:  The  (partial)  Lena  image  at  detection  thresh¬ 
old. 


Quality  of  retrieval 


Distribution  of  sample  values  in  estimated  watermark 


Figure  4:  Distribution  of  sample  values  in  W  for  K  = 
30  *  N  and  k  =  5. 


5  Conclusions 

In  this  paper  we  have  addressed  the  issue  of  watermark 
security  based  on  the  availability  of  a  watermark  detec¬ 
tor  and  a  single  watermarked  image.  We  extended  the 
work  started  in  [4]  and  [5]  by  presenting  a  simple  at¬ 
tack  method.  We  have  shown  that  for  the  PatchWork 
the  complexity  of  watermark  retrieval  is  quadratic  in  the 
number  of  sample  values.  A  slight  extension  of  the  the¬ 
ory  shows  that  the  same  method  is  applicable  to  all  cor¬ 
relation  based  watermark  methods.  This  implies  that 
watermarking  methods  based  upon  thresholded  correla¬ 
tion  are  not  suited  for  applications  where  watermarking 
cannot  be  enforced  and  the  detector  is  publicly  available 
(DVD). 

References 

[1]  W.  Bender,  D.  Gruhl,  and  N.  Morimoto.  Techniques 
for  data  hiding.  In  Proceedings  of  the  SPIE ,  volume 
2420,  page  40,  San  Jose  CA,  USA,  February  1995. 

[2]  The  unzign  web  page,  http://altern.org/watermark, 
1997. 

[3]  T.  Kalker,  J.P  Linnartz,  and  M.  van  Dijk.  Water¬ 
mark  estimation  through  detector  analysis.  In  Pro¬ 
ceedings  of  the  ICIP ,  Chicago,  October  1998.  Sub¬ 
mitted. 

[4]  I.J.  Cox  and  J.P.M.G.  Linnartz.  Public  watermarks 
and  resistance  to  tampering.  In  Proceedings  of  the 
ICIP ,  Santa  Barbara,  California,  October  1997.  Pa¬ 
per  appears  only  in  CD  version  of  proceedings. 

[5]  J.P.  Linnartz  and  M.  van  Dijk.  Analysis  of  the  sensi¬ 
tivity  attack  against  electronic  watermarks  in  images. 
In  Proceedings  of  the  Workshop  on  Information  Hid¬ 
ing,  Portland,  April  1998.  Submitted. 


Number  of  iterations 


Perturbation  strength 


Figure  3:  Retrieval  percentage  as  a  function  of  the  per¬ 
turbation  strength  k  and  the  total  number  of  iteration 
K. 


